Header graphic for print

HL Chronicle of Data Protection

Privacy & Information Security News & Trends

Posted in Consumer Privacy, International/EU Privacy

Hogan Lovells Mark Data Privacy Day with Innovation-Enabling Tool

To celebrate Data Protection Day, Hogan Lovells has launched a pioneering new tool, that enables clients to deal with privacy compliance in a way that assists innovation and adds value to their products and processes.

The firm’s leading Privacy and Information Management practice has created a unique new tool called the Privacy Innovation Assessment, which examines the privacy implications of new business developments and identifies ways of enhancing their value. This tool is guided by the team’s philosophy that addressing privacy and data protection is not just about compliance with the law, but realizing the full potential of a key business asset. Continue Reading

Posted in Consumer Privacy

Internet of Things Report Released by the FTC

The Federal Trade Commission (FTC) yesterday released its staff report on the Internet of Things (IoT). The report summarizes the FTC’s November 2013 workshop, “The Internet of Things: Privacy and Security in a Connected World,” and provides FTC staff recommendations in this area.  Notably, the report also describes best practices for data security and data minimization, and reaffirms the FTC’s commitment to notice and choice principles. We provide below an overview of the staff’s recommendations and the concurring and dissenting views of Commissioners Ohlhausen and Wright.  Continue Reading

Posted in International/EU Privacy

Will the New EU Data Protection Regulation Facilitate Healthcare Innovation?

Technology has transformed and disrupted long standing industries as well as created new industries along the way. The digital revolution in the healthcare industry appears to have been long promised but much delayed. There may be a number of understandable reasons why the wheels have not turned so quickly. For instance, unlike say the financial services industry which is private sector led, the healthcare industry has obvious public sector touch points which can make any sort of change slower. But just as information about an individual’s bank balance or salary is considered confidential, so a person’s health information is particularly sensitive, both in a legal sense (because health information is categorised as sensitive under EU data protection law) but also in an obviously everyday sense – people feel that their health information (in most but not all circumstances) is private. Continue Reading

Posted in Cybersecurity & Data Breaches

Data Breaches Hit the Board Room: How to Address Claims Against Directors and Officers

News headlines about data breaches are becoming more and more common. During the last year alone, major retailers, restaurants, and financial institutions have all reported data breaches.

The traditional aftermath of a data breach can involve regulatory investigations and lawsuits against the company by consumers or financial institutions claiming to have been harmed by the data breach. In recent years, a new trend also is emerging: shareholder derivative cases and securities class actions filed against directors and officers alleging claims for breach of fiduciary duty, or even securities fraud, relating to the data breach. The recent dismissal of one such lawsuit against the directors and officers of Wyndham Worldwide Corporation (Wyndham) provides insight on steps directors and officers can take to protect themselves from claims of breach of fiduciary duty in these lawsuits. Continue Reading

Posted in International/EU Privacy

The Compliance Challenges That Can No Longer Be Ignored

Although Asia’s data privacy laws draw from a common set of guiding principles, each law is unique. Moreover, as freshly minted regulators come to grips with these new laws, differences in interpretation and underlying policy are becoming apparent. As a consequence, there is now a ‘patchwork’ of compliance requirements across the region. Depending on the country, sector specific laws, consumer protection laws, employment laws and laws in emerging areas such as cybersecurity, also complicate the compliance picture for Asia, and there is no common framework for any of these laws. Continue Reading

Posted in Consumer Privacy

The 2015 State of the Union Addresses Cybersecurity, Data Security, and Privacy

Tonight, the President’s State of the Union address covered, as he put it, “the tasks that lie ahead.”  Among the policy initiatives that he proposed, he “urge[d] . . . Congress to finally pass the legislation we need to better meet the evolving threat of cyber-attacks, combat identity theft, and protect our children’s information.” What he was referring to is a set of cybersecurity and info sharing initiatives and privacy and data security proposals that the White House started rolling out last week.  The President also alluded to a report to be released next month that will address the Administration’s actions to curtail domestic surveillance programs.  We provide here excerpts of the President’s address that discuss cybersecurity, data security, and privacy. Continue Reading

Posted in International/EU Privacy

French Consumer Protection Panel Flags Unfair Privacy Practices

Like the United States, France has a broadly-worded consumer protection statute prohibiting unfair clauses in consumer contracts (the French term is “clauses abusives“).  What constitutes an “unfair” clause is in some cases fixed by regulation.  But in many cases, the term is left to the interpretation of the courts and France’s consumer protection agency, the DGCCRF.  France created an advisory panel to issue guidance on what constitutes an unfair clause in various circumstances.  On December 3, 2014, the panel published a lengthy opinion identifying 46 clauses in social media terms of use and privacy policies that the panel considers unfair. Continue Reading

Posted in International/EU Privacy

Hong Kong Privacy Commissioner Issues Guidance on Cross-Border Data Transfers

On 29 December, 2014, Hong Kong’s Privacy Commissioner for Personal Data (the Commissioner) published a guidance note concerning the potential implementation of section 33 of the Personal Data (Privacy) Ordinance (the PDPO), which would restrict the export of personal data from Hong Kong.

In a recent client alert, partner Mark Parsons and associate Peter Colegate from the Hogan Lovells Hong Kong office explore the Commissioner’s understanding of how section 33 would be implemented, including some important nuances that are particularly relevant to multi-national businesses operating in Hong Kong and the wider region.

To read the client alert in full, click here.

Posted in International/EU Privacy

New EU Data Protection Law in 2015? Decisiveness, Flexibility and Direction are the Answer

All eyes are currently on the Council of the EU to figure out when and in what form we are likely to see a new EU data protection law emerging. The adoption of this law, which has been in the making since the European Commission presented its vision for a modern privacy regime in 2010, will have vital and global implications for the future of our data-driven existence. This explains the cautious progress so far, but the need for a modernised regime is pressing. Six presidencies have so far managed the adoption process within the Council—which together with the European Parliament has legislative responsibility for passing EU laws—and each has made its own contribution to the process. But the Council has been the key focus of attention of the ongoing legislative process since the European Parliament approved its own draft of the EU Data Protection Regulation in early 2014. Continue Reading

Posted in International/EU Privacy

New CNIL Accountability Standard May Become European Model

The chairwoman of the French data protection authority (the CNIL), Isabelle Falque-Pierrotin, has long been an outspoken proponent that companies should have internal accountability mechanisms for data protection compliance.  On January 13, 2015 the CNIL published a standard defining what accountability means in practice.  Companies that demonstrate that they comply with the new standard will be able to obtain an “accountability seal” from the CNIL.

The accountability seal does not create any new rights for a company under existing French law.  Rather, the primary purpose of the CNIL’s new accountability standard is to prepare companies for the day when accountability will become a legal obligation under the future EU General Data Protection Regulation.  Under the draft Regulation as currently proposed, all companies will be obligated to implement some form of internal accountability program for compliance with the Regulation, sometimes referred to as a “data privacy governance” program.  The draft Regulation is not likely to contain details indicating what an accountability or data privacy governance program looks like in practice.  The CNIL standard is therefore likely to create a precedent to which other European regulators may look when they develop their own accountability standards under the Regulation. Continue Reading